U.S. government urges Microsoft Internet Explorer users to switch browsers until major bug fixed

A security risk recently discovered in Microsoft Corp.’s Internet Explorer browser which hackers have exploited to launch a “limited” number of cyber attacks has prompted the U.S. Department of Homeland Security to urge users to consider alternative Web browsers until a patch is issued.

Amazon.com Inc, Cisco Systems Inc, Facebook Inc, Google Inc, IBM, Intel Corp and Microsoft Corp are among a dozen companies that have agreed to be founders of the group, known as Core Infrastructure Initiative. Each will donate $300,000 to the venture. Keep reading.

Microsoft said its researchers are rushing to provide an update that addresses the flaw, which affects several versions of its Internet Explorer software, but have not said when a fix will be available.

On Sunday, the software giant said it was aware of “limited, targeted attacks” that attempt to exploit the vulnerability, which could grant hackers “the same user rights as the current user” on a compromised system, enabling them to potentially install malicious programs, view sensitive data or create new user accounts.

However, the matter is more complicated for those computers still running Microsoft’s older Windows XP operating system, which was launched in 2001.

Because Microsoft stopped providing support for Windows XP on April 8, the company will not be providing a security fix for those versions of Internet Explorer that run on Windows XP.

“Microsoft no longer provides security updates for this operating system. Our advice to customers is to migrate to a modern OS, like Windows 7 or Windows 8.1,” a Microsoft spokesperson said in an email to the Financial Post.

“We encourage customers to follow the suggested mitigations outlined in the security advisory while an update is finalized.”

According to security firm FireEye Inc., which first reported the exploit on Friday, the vulnerability can affect versions of Internet Explorer as far back as IE 6. However one active threat is targeting more recent versions of the browser, numbered 9 through 11.

The researchers who discovered the exploit have dubbed it “Operation Clandestine Fox” but have declined to provide specific details about which organizations the hackers have attempted to exploit.

“It’s a campaign of targeted attacks seemingly against U.S.-based firms, currently tied to defense and financial sectors,” FireEye spokesman Vitor De Souza told Reuters on Sunday.

“It’s unclear what the motives of this attack group are, at this point. It appears to be broad-spectrum intel gathering.”

Data from tracking firm NetMarket Share indicates that Internet Explorer versions 6 through 11 accounted for more than 55% of the desktop browser market in 2013.

Related

On Monday, the United States Computer Emergency Readiness Team (US-CERT) — a division of the Department of Homeland Security — said it was aware of “active exploitation” of the flaw, and advised Internet users to consider using different Web browsers until Microsoft can provide a security update.

“US-CERT is aware of active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer. This vulnerability affects IE versions 6 through 11 and could lead to the complete compromise of an affected system,” the organization said in a statement.

While Microsoft searches for an answer, the company has advised companies to use its Enhanced Mitigation Experience Toolkit (EMET), which can help to mitigate attacks that attempt to exploit the vulnerabilities.